Networked data storage systems provide convenient data access, centralized file storage, and powerful data management solutions for users. Such data storage systems and hosts connected to them, however, are susceptible to attacks by malicious 3rd parties. As a result of such attacks, legitimate applications run on networked hosts may get infected with a virus, and malware software may get installed on hosts or the data storage system itself. Another example of destructive activity is Denial Of Service (DOS) attacks.
In carrying out each of their respective functions, such attacks may cause a storage processor that controls the data storage system to exhibit a particular response. For example, each known virus has a particular effect on a load that that virus produces on the storage processor. Along these lines, one particular virus might cause the storage processor to gradually increase storage allocation requests over a period of time, while another may cause spikes at various instances over another period of time.
In order to detect legitimate applications infected by viruses, conventional virus detection tools compare current or recent data access patterns to data access pattern signatures from known viruses. For example, such tools may record responses of a storage processor to known viruses and store such responses in a table. Such responses may take the form of a time series of storage allocation requests over a period of time, for example. When a virus attack is suspected, a conventional virus detection tool compares a time series of current storage allocation requests to the times series corresponding to the known viruses stored in the table.